eIDAS Pilot Convergence with Mobile Connect

With many obstacles to European cross-border trading having been removed through the mechanism of the European Single Market, the European Commission (EC) has sought to implement a digital single market to ensure frictionless commerce across borders.

The 2014 electronic IDentification, Authentication, and Trust Services (eIDAS) regulation presented an opportunity to provide a benchmark for identification and interoperability across states. Supported by the fact that citizens across Europe have access to services regardless of the member state they are a citizen of, there has arisen the necessity to introduce a reliable and secure identity solution parallel with the principles of eIDAS.

As reported by ABI Research in MD-NWMT-102, the number of annual mobile subscriptions in Europe in 2018 stood at approximately 1.16 billion. Therefore, the mobile industry (including Orange, AriadNEXT, Telenor, Clayster, and France Connect) has integrated Mobile Connect (the GSMA secure universal login and identity solution) with an eIDAS pilot to securely identify and authenticate citizens while managing entitlements for access to cross-border services. The pilot took the form of enabling customers of participating Spanish mobile operators to access Finnish e-government services and was supported by vendors and organizations including Telefónica, Telia Company, Vodafone Spain, Gemalto, Mobile World Capital, the Catalonia Regional Government, the Finnish Ministry of Finance, and the Finnish Population Register Centre. The hope is that natural synergy between the regulation and the solution will function alongside member state investments in identity initiatives to drive the large-scale adoption of secure and reliable digital identity management.

The eIDAS regulation enables the use of eID and electronic trust services by citizens, businesses, and public administrations to access online services and manage electronic transactions. Furthermore, it lays the groundwork for mutual recognition and acceptance of eID across borders with legal status, paving the road for a digital single market. It is important to note that eID will only see significant penetration rates among citizens and businesses should they be confident in their legal validity through a number of qualifying criteria:

• Ensuring citizens can use their own national eID to access private or public services in foreign nations
• Creating an internal European market for electronic trust services delivered by trusted service providers (TSPs), including five signature-based authentication services:
  • Website authentication
  • Electronic timestamps
  • Electronic seals to support the integrity of documentation
  • Electronic delivery services to ratify and acknowledge receipt
  • Electronic Signatures

However, it is important to note that eIDAS does not lay out the technical means by which interoperability will be achieved for eID. That being said, eIDAS does state the Level of Assurance (LoA) for trust service implementation:

1. Enrollment in trust services (local or remote)
   1. Application, registration, identity proofing
2. eID credential management
   1. Issuance, delivery, storage (in secure elements or as tokens etc.)
3. Authentication protocols inherent to the trust services themselves
   1. E-signatures for companies to sign contracts cross-border
   2. Using eID to open bank accounts abroad
   3. eCommerce website authentication

With 14 million EU citizens resident in another member state, enabling the access of online services for citizens by using their National ID is a cornerstone of the digital single market strategy. With the legal framework provided by the eIDAS regulations, the international recognition of national eID programs has occurred, thereby ensuring interoperability across borders while maintaining stringent security and authentication. This was reinforced in September 2018, when all online public services requiring electronic identification of a substantial level were required to be able to integrate and accept eID programs of other EU nations. Through a technical infrastructure of interconnected eIDAS Nodes, the regulation enables citizens of member countries to engage in secure electronic transactions, including but not limited to filing tax returns, accessing medical records, and enrolling in foreign educational institutions.

Furthermore, eIDAS regulations provide assurances to relocating citizens, who may be initially untrusting of new, electronic authentication practices, to manage registration and administration requirements with the same legal certainty as they would have with established paper-based processes. By providing citizens with a platform to complete electronic transactions in another EU country with legally-supported trust services that provide e-signatures, timestamps, and website authentication, it is estimated that, by 2022, a significant market will be derived from the increased revenues of government agencies and the private sector.

For many member states within the European Union, the private sector and the mobile industry have already experienced a convergence, with electronic identification and authentication enablement leveraged by pre-existing mobile solutions. The eIDAS regulations have recognized this and include private sector mobile solutions within the national legislation that has been introduced. This has not been without complications however; to make digital identity a wholly scalable solution, there is an unmistakable requirement for mutually-beneficial cooperation between the government and the private sector. For full adoption of private sector mobile solutions, it would be necessary to introduce amendments to the law to ensure they are fully compliant with regulations. After all, few countries (like Finland) will have specific legislation covering eID and, instead, use repurposed e-signature laws to provide grounding. This means that Mobile Connect could break down the barriers of fragmented national ID programs and interface types by offering a universal, secure login solution to drive the interoperability demanded by the eIDAS regulations.

Utilizing eIDAS, an opportunity has presented itself for MNOs to become the primary trusted providers of digital identity in Europe. With regulations ramping up the implementation of digital identity programs, MNOs could channel new revenue streams through the provision of trust services with the validation and verification of mobile signatures. The mechanism behind the opportunity is that MNOs can ascertain a wide reach among citizens and provide consistent, trusted security. The last few decades have shown, predominantly, that mobile operators can provide calls, internet access, messaging, and data exchange securely while protecting customers’ personal data, meaning the introduction of Mobile Connect is based on a system that is already proven. Mobile Connect will supply secure and easy-to-use access to online services through a multi-factor baseline solution, incorporating authorization and authentication for consumers and providing a number of advantages:

• This is a simple and convenient solution, lowering operational costs and optimizing profit margins with no tradeoff in security or quality.
• Mobile Connect prioritizes privacy of data, as the operator will confirm the validity of the credentials while consent for sharing data comes only from the consumer.
• End-users use a combination of their unique mobile number and a PIN, or other authentication factors, to verify themselves. This provides secure and strong customer authentication with no passwords and improved user experience.
• Incorporating security and trust into digital transactions by confirming originating transaction locations and usage patterns improves end-user trust in the solution, amplifying adoption rates and public confidence.

So far, Mobile Connect is operational in over 30 countries across the globe and supported by 60 MNOs. Issuing a solution that enables governments and service providers to offer citizens an authentication experience that matches the optimal offering in the private sector allows end-users to benefit from the utilization of mobile technology to forego legacy infrastructure and economic barriers and experience a secure digital identity program that delivers in omnibus locis.